Answer CCNA Security Practice Final – CCNAS v2.0

This post contains question and answers for CCNA Security: Implementing Network Security (Version 2.0) – CCNA Security 2.0 PRACTICE Final. This post contributed by someone known as anotherhelper. I hope this post answer CCNA Security Practice Final – CCNAS v2.0 will help you all in your study. Please be reminded this is Practice Final. If you are looking for Final Exam questions and answers you may take a look at following post Answer CCNA Security Final Exam – CCNAS v2.0

CCNA Security Practice Final version 2.0

Refer to the exhibit. Based on the output generated by the show monitor session 1 command, how will SPAN operate on the switch?

All traffic received on VLAN 10 or transmitted from VLAN 20 is forwarded to FastEthernet 0/1.

Native VLAN traffic transmitted from VLAN 10 or received on VLAN 20 is forwarded to FastEthernet 0/1.

All traffic transmitted from VLAN 10 or received on VLAN 20 is forwarded to FastEthernet 0/1.

Native VLAN traffic received on VLAN 10 or transmitted from VLAN 20 is forwarded to FastEthernet 0/1.

Refer to the exhibit. The ISAKMP policy for the IKE Phase 1 tunnel was configured, but the tunnel does not yet exist. Which action should be taken next before IKE Phase 1 negotiations can begin?

Configure the set of encryption and hashing algorithms that will be used to transform the data sent through the IPsec tunnel.

Bind the transform set with the rest of the IPsec policy in a crypto map​.

Configure the IPsec tunnel lifetime​.

Configure an ACL to define interesting traffic.

On what switch ports should PortFast be enabled to enhance STP stability?

only ports that are elected as designated ports

only ports that attach to a neighboring switch

all trunk ports that are not root ports

all end-user ports

What is the function of the Hashed Message Authentication Code (HMAC) algorithm in setting up an IPsec VPN?

authenticates the IPsec peers

guarantees message integrity

protects IPsec keys during session negotiation

creates a secure channel for key negotiation

What ports can receive forwarded traffic from an isolated port that is part of a PVLAN?

other isolated ports and community ports

only promiscuous ports

all other ports within the same community

only isolated ports

What is the next step in the establishment of an IPsec VPN after IKE Phase 1 is complete?

negotiation of the ISAKMP policy

negotiation of the IPsec SA policy

detection of interesting traffic

authentication of peers

Which three areas of router security must be maintained to secure an edge router at the network perimeter? (Choose three.)

physical security

flash security

remote access security

operating system security

zone isolation

router hardening

What is the purpose of AAA accounting?

to prove users are who they say they are

to determine which operations the user can perform

to determine which resources the user can access

to collect and report data usage

What service or protocol does the Secure Copy Protocol rely on to ensure that secure copy transfers are from authorized users?

Router management interfaces must be manually assigned to the self zone.

Which two statements describe the use of asymmetric algorithms? (Choose two.)

Public and private keys may be used interchangeably.

If a public key is used to encrypt the data, a public key must be used to decrypt the data.

If a private key is used to encrypt the data, a public key must be used to decrypt the data.

If a public key is used to encrypt the data, a private key must be used to decrypt the data.

If a private key is used to encrypt the data, a private key must be used to decrypt the data.

What are three characteristics of the RADIUS protocol? (Choose three.)

utilizes TCP port 49

is an open IETF standard AAA protocol

uses UDP ports for authentication and accounting

is widely used in VOIP and 802.1X implementations

separates authentication and authorization processes

encrypts the entire body of the packet

What algorithm is used with IPsec to provide data confidentiality?

AES

RSA

MD5

Diffie-Hellman

SHA

When configuring SSH on a router to implement secure network management, a network engineer has issued the login local and transport input ssh line vty commands. What three additional configuration actions have to be performed to complete the SSH configuration? (Choose three.)

Create a valid local username and password database.

Generate the asymmetric RSA keys.

Set the user privilege levels.

Configure role-based CLI access.

Configure the correct IP domain name.

Manually enable SSH after the RSA keys are generated.

What is an advantage of HIPS that is not provided by IDS?

HIPS protects critical system resources and monitors operating system processes.

The large numbers used by DH make it too slow for bulk data transfers.

DH requires a shared key which is easily exchanged between sender and receiver.

What information does the SIEM network security management tool provide to network administrators?

real time reporting and analysis of security events

assessment of system security configurations

a map of network systems and services

detection of open TCP and UDP ports

What can be configured as part of a network object?

interface type

IP address and mask

upper layer protocol

source and destination MAC address

A user complains about not being able to gain access to the network. What command would be used by the network administrator to determine which AAA method list is being used for this particular user as the user logs on?

debug aaa accounting

debug aaa authorization

debug aaa authentication

debug aaa protocol

What is a limitation to using OOB management on a large enterprise network?

A company deploys a network-based IPS. Which statement describes a false negative alarm that is issued by the IPS sensor?

A normal user packet passes and no alarm is generated.

A normal user packet passes and an alarm is generated.

An attack packet passes and an alarm is generated.

An attack packet passes and no alarm is generated.

What type of ACL offers greater flexibility and control over network access?

flexible

named standard

extended

numbered standard

Which security document includes implementation details, usually with step-by-step instructions and graphics?

overview document

procedure document

guideline document

standard document

What is a characteristic of a DMZ zone?

Traffic originating from the inside network going to the DMZ network is not permitted.

Traffic originating from the outside network going to the DMZ network is selectively permitted.

Traffic originating from the DMZ network going to the inside network is permitted.

Traffic originating from the inside network going to the DMZ network is selectively permitted.

Which type of ASDM connection would provide secure remote access for remote users into corporate networks?

ASDM Launcher

AnyConnect SSL VPN

site-to-site VPN

Java Web Start VPN

Which three forwarding plane services and functions are enabled by the Cisco AutoSecure feature?​ (Choose three.)

secure SSH access

Cisco IOS firewall inspection

Cisco Express Forwarding (CEF)

traffic filtering with ACLs

secure password and login functions

legal notification using a banner

Which feature of the Cisco Network Foundation Protection framework prevents a route processor from being overwhelmed by unnecessary traffic?

Control Plane Policing

IP Source Guard

port security

access control lists

What three tasks can a network administrator accomplish with the Nmap and Zenmap security testing tools? (Choose three.)

open UDP and TCP port detection

operating system fingerprinting

password recovery

security event analysis and reporting

assessment of Layer 3 protocol support on hosts

development of IDS signatures

What is a characteristic of an ASA site-to-site VPN?

ASA site-to-site VPNs create a secure single-user-to-LAN connection.

The IPsec protocol protects the data transmitted through the site-to-site tunnel.

ASA site-to-site VPNs can only be established between ASA devices.​

The first echo request packet sent to test the establishment of the tunnel always succeeds.

What is a result of enabling the Cisco IOS image resilience feature?

Secured files can be viewed in the output of a CLI-issued command.

Multiple primary bootset files can be accessed.

The feature can only be disabled through a console session.

Images on a TFTP server can be secured.

What does the keyword default specify when used with the aaa authentication login command?

Authentication must be specifically set for all lines, otherwise access is denied and no authentication is performed.

Authentication is automatically enabled for the vty lines utilizing the enable password.

The local username/password database is accessed for authentication.

Authentication is automatically applied to the con 0, aux, and vty lines.

What are two protocols that are used by AAA to authenticate users against a central database of usernames and password? (Choose two.)

RADIUS

SSH

HTTPS

CHAP

NTP

TACACS+

Which service should be disabled on a router to prevent a malicious host from falsely responding to ARP requests with the intent to redirect the Ethernet frames?

LLDP

reverse ARP

proxy ARP

CDP

What is a characteristic of asymmetric algorithms?

Key management is more difficult with asymmetric algorithms than it is with symmetric algorithms.

Very long key lengths are used.

Both the sender and the receiver know the key before communication is shared.

Asymmetric algorithms are easier for hardware to accelerate.

What are two drawbacks in assigning user privilege levels on a Cisco router? (Choose two.)

Only a root user can add or remove commands.

Privilege levels must be set to permit access control to specific device interfaces, ports, or slots.

Assigning a command with multiple keywords allows access to all commands using those keywords.

Commands from a lower level are always executable at a higher level.

AAA must be enabled. [incorrect]

Feel free to drop comments should you find any incorrect answers or found new question for CCNA Security Practice Final. Alternatively, you may send email to admin@invialgo.com to include any picture or images.

A company deploys a hub-and-spoke VPN topology where the security appliance is the hub and the remote VPN networks are the spokes. Which VPN method should be used in order for one spoke to communicate with another spoke through the single public interface of the security appliance?
-GRE
-hairpinning
-split tunneling
-MPLS

A security technician is evaluating a new operations security proposal designed to limit access to all servers. What is an advantage of using network security testing to evaluate the new proposal?
-Network security testing proactively evaluates the effectiveness of the proposal before any real threat occurs.
-Network security testing is most effective when deploying new security proposals.
-Network security testing is specifically designed to evaluate administrative tasks involving server and workstation access.
-Network security testing is simple because it requires just one test to evaluate the new proposal.